Biopython Bio.Entrez XXE Vulnerability Allowing Server-Side Request Forgery

A vulnerability in Biopython's Bio.Entrez module, present in versions through 186, allows for XML external entity (XXE) attacks. The parser in this module can be tricked into making arbitrary HTTP GET requests. This behavior can be exploited to access internal network resources or cause a denial-of-service. The issue arises because the parser does not properly handle external entities, leading to potential server-side request forgery (SSRF) vulnerabilities. Additionally, the lack of enforced TLS can expose users to man-in-the-middle attacks.

Impact

Exploitation of this vulnerability could lead to unauthorized HTTP requests being made from the application, potentially accessing internal resources or causing a denial-of-service.

Reproduction

The vulnerability can be reproduced by using the Bio.Entrez.read or Bio.Entrez.parse functions with crafted XML that includes external entities. The parser will then fetch the DTD or XSD files from the internet, unless a local file is available, creating an opportunity for XXE and SSRF attacks.

Remediation

Users are advised to update to a version of Biopython that addresses this vulnerability. Instructions for updating can be found in the Biopython documentation.